search

simonepri / phc-argon2

🔒 Node.JS Argon2 password hashing algorithm following the PHC string format.
MIT License
17 stars 6 forks source link

generated hash does not meet specification in parameter order #56

Open mcdurdin opened 3 years ago

mcdurdin commented 3 years ago

The hash generated by these functions does not meet the specification, for example with this hash generated from password 'password':

$argon2id$v=19$t=2,m=15360,p=1$dTrnxd5KI59MDnWmdM3sZQ$dWdm8NkGkSmtN7ht5eQig872oo1dQenivc450xZ1BKY

The specification requires the parameters to be in a specific order:

The parameters shall appear in the m,t,p,keyid,data order. The keyid and data parameters are optional; the three others are NOT optional.

nhanledev commented 2 years ago

Any update on this? My app in java can not verify the hash from this package because of this issue

nhanledev commented 2 years ago

This is where cause the problem. https://github.com/simonepri/phc-argon2/blob/900c5aea9185b69a677ce27ce06aa8a9526222fd/index.js#L172

kamilcglr commented 2 years ago

Any update on this? My app in java can not verify the hash from this package because of this issue

Hello, I have the same issue. My Spring Auth service cannot verify this hash, did you find any workaround ? I use AdonisJS

nhanledev commented 2 years ago

The workaround is re-ordering the params object here https://github.com/simonepri/phc-argon2/blob/900c5aea9185b69a677ce27ce06aa8a9526222fd/index.js#L171

        params: {
          m: memory,
          t: iterations,
          p: parallelism
        },